VYPR

CRM

by Churchcrm

Source repositories

CVEs (43)

  • CVE-2026-24854Jan 30, 2026
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID`…

  • CVE-2025-68275Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.

  • CVE-2025-68401Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS).…

  • CVE-2025-68400Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly…

  • CVE-2025-68399Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript.…

  • CVE-2025-68112Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential…

  • CVE-2025-68111Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the…

  • CVE-2025-68110Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.

  • CVE-2025-67877Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly…

  • CVE-2025-67876Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names.…

  • CVE-2025-67875Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent…

  • CVE-2025-66397Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk…

  • CVE-2025-66396Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly…

  • CVE-2025-66395Dec 17, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in…

  • CVE-2025-67751Dec 16, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated…

  • CVE-2025-67874Dec 16, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify…

  • CVE-2025-66313Dec 1, 2025
    risk 0.00cvss epss 0.00

    ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL…

  • CVE-2024-39304Jul 26, 2024
    risk 0.00cvss epss 0.03

    ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows…

  • CVE-2024-25893Feb 21, 2024
    risk 0.00cvss epss 0.00

    ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.

  • CVE-2024-25892Feb 21, 2024
    risk 0.00cvss epss 0.01

    ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection (Time-based) via the familyId GET parameter.